Microsoft recently released its Patch Tuesday fixes which included a patch for an actively exploited zero-day vulnerability, CVE-2023-21674. This CVE exploits a browser sandbox escape exposure that could lead to system privilege escalation. With a base score of 8.8, Avast researchers Jan Vojtěšek, Milánek, and Przemek Gmerek explain:
“We observed an active exploitation of the vulnerability, and also can say that the vulnerability is likely part of a longer infection chain through browser, because for the CVE-2023-21674 exploit to work, the attackers already had to somehow obtain the ability to run arbitrary native code inside a sandboxed renderer process. This is something that is normally not possible against a fully patched browser unless the attackers possess a separate renderer 0-day exploit. However, we do not have the full chain. (bleepingcomputer.com)"
This CVE is being actively exploited, is recommended to patch immediately.
The patch addresses: